diff options
| author | Jann Horn <[email protected]> | 2018-07-06 22:18:09 +0200 |
|---|---|---|
| committer | Saeed Mahameed <[email protected]> | 2018-07-11 12:08:57 -0700 |
| commit | 31e33a5b41bb158f27c30e13b12d6e5e6513ea05 (patch) | |
| tree | 85eee11c59220deeb4139b913385e43e91be4ba2 /tools/perf/util/scripting-engines/trace-event-python.c | |
| parent | b183ee27f5fb07c8428e2fe45d5f35dac611c45d (diff) | |
net/mlx5: fix uaccess beyond "count" in debugfs read/write handlers
In general, accessing userspace memory beyond the length of the supplied
buffer in VFS read/write handlers can lead to both kernel memory corruption
(via kernel_read()/kernel_write(), which can e.g. be triggered via
sys_splice()) and privilege escalation inside userspace.
In this case, the affected files are in debugfs (and should therefore only
be accessible to root) and check that *pos is zero (which prevents the
sys_splice() trick). Therefore, this is not a security fix, but rather a
small cleanup.
For the read handlers, fix it by using simple_read_from_buffer() instead of
custom logic.
For the write handler, add a check.
changed in v2:
- also fix dbg_write()
Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Jann Horn <[email protected]>
Reviewed-by: Leon Romanovsky <[email protected]>
Signed-off-by: Saeed Mahameed <[email protected]>
Diffstat (limited to 'tools/perf/util/scripting-engines/trace-event-python.c')
0 files changed, 0 insertions, 0 deletions